I notice that the first thing in your bootlog is '+'. This is normally generated by Redboot to indicate that the system has been power cycled. It maybe that Redboot has just been set to boot silently or something similar. Is there a delay between the '+' and the kernel booting? If so try Ctrl-C to access Redboot.
I pm'ed him when I first read the post (some time ago) and received no reply. I'll try again.
A quick bit of googling shows two interstings things:
he's on myspace and checked it yesterday.
he works or did work at watchguard.
It's probably worth noting here for anyone searching that the X10, X20 and X55 are identical hardware. They were available with or without wireless. I suspect, but can't confirm, that you could add the mini-pci card for wireless but you'd have to drill the case for the antennas. See:
Posted: Sun Oct 03, 2010 12:53 Post subject: No Luck
Just an update.
After reading TFM I have restored my Edge to working order which is fun to play with but not any closer to replacing the firmware.
Some things that might save someone some time.
The default IP of the Watchguard firmware is 192.168.111.1.
I have failed to connect to Redboot via telnet so far.
The device can be reset to factory defaults by holding down the reset button when powering up. I'm uncertain how long it must be held but I think no more than 10 seconds because...
When you boot with the reset button pressed Redboot will boot a backup partition that then resets the main partition and config. If it is successful then the orange LED (marked 'Attn') will light. Only the backup partition has console output on the rear serial port.
The 'Mode' LED indicates a successful connection to WAN1, it will flash while trying to connect.
Internally the device has a surface mounted switch marked 'ON' or '1'. Default is ON. When I first received my box it was totally hosed, only the power led. Only after I moved the switch was I able to recover it. It appears to connect/disconnect a backup battery.
There are several internal headers. Haven't explored them yet. (second serial port? USB?)
I have tried guessing the Redboot password based on the default password for other manufacturers with no luck. Given that I don't even know how many characters it is and this box is supposed to be a security appliance I think I'm wasting my time!
I have confirmed that the switch on the PCB enables/disables the backup battery. Default is enabled. With it enabled going throught the factory reset procedure will restore the firmware but not your settings (local IP, admin logon etc...). Resetting with the switch off trully resets everything.
The box, unusually, has two flash types. Perhaps the 1MB NOR is battery backed?
Update: Nope doesn't seem likely. The actual chip is non volatile flash and it seems to remeber configuration changes across a reboot with the switch in either position.
Without using JTAG I am at a dead end.
My current attack angle is to try and get a root shell by expoiting a bug in the stock interface and then use the mtd command to write the flash.
However it seems that Watchguard haven't left any bugs for me to exploit!
Some interesting new information.
I successfully downgraded my box to 8.0.3. In order to do this you must have either a valid 'livesecurity' or not connect the box to the internet until after the firmware change.
Upon first boot I got:
RedBoot partition parsing not available
cmdlinepart partition parsing not available
IXP425 Flash: Using static MTD partitions.
Creating 6 MTD partitions on "IXP425 Flash":
0x00000000-0x00050000 : "Redboot"
0x00050000-0x00080000 : "cfg0"
0x00080000-0x000b0000 : "cfg1"
0x000b0000-0x000c0000 : "mfg"
0x000c0000-0x000d0000 : "bootOpt"
0x000e0000-0x00100000 : "RedbootConfig"
Scanning for TC58DVM82A...
NAND device: Manufacturer ID: 0xec, Chip ID: 0x76 (Samsung NAND 64MiB 3,3V 8-bit)
Scanning device for bad blocks
Using static partition definition
Creating 5 MTD partitions on "NAND 64MiB 3,3V 8-bit":
0x00000000-0x00200000 : "SysA Kernel"
0x00200000-0x02000000 : "SysA Code"
0x02000000-0x03800000 : "SysA Data"
0x03800000-0x03a00000 : "SysB Kernel"
0x03a00000-0x04000000 : "SysB Code"
So it appears that Redboot and it's config are stored on the 1MB flash chip whilst the Watchguard firmware (normal and backup) are on the 64MB.